Technology for analyzing and evaluating the vulnerability of information and communication systems is intended to previously identify vulnerabilities that exist in the corresponding system and eliminate the vulnerabilities based on the results of the identification. Accordingly, technology for analyzing and evaluating the vulnerability of information and communication systems enables vulnerabilities to be eliminated before being exploited for illegitimate intrusions, thereby preventing various types of intrusions from occurring. Furthermore, the results of analyzing or evaluating the vulnerability of a system are used for a method of intuitively transferring the security state of the system to the management of a corresponding organization.
Korean Patent No. 0851521 discloses technology related to a cyber attack system and method for providing an active and automated integrated cyber attack model that is capable of detecting and analyzing the vulnerability of a network or a system as security technology for a network system.
However, this conventional technology for analyzing or evaluating vulnerability provides merely an active and automated integrated cyber attack model that is capable of detecting and analyzing the vulnerability of a network or a system, but does not disclose technology for acquiring the results of intuitively or objectively evaluating vulnerability.
Meanwhile, if the results of analyzing or evaluating the vulnerability of a system are not quantified, it is difficult to represent the state of the system using a representative value.
Furthermore, the analysis or evaluation of vulnerability is not performed once, but is periodically performed in general. When the results of a task that is periodically performed are represented, it is necessary to indicate the comparisons between current results and past results, as well as the current results. For example, the result statement “a specific system is in a dangerous state because access control is insufficient because of lack of password management and the presence of an unnecessary service” may make a user confused. In this case, a result statement based on quantification may be provided. That is, a current status can be intuitively and objectively provided by describing the current status while comparing the current status with a past status, despite no provision of a detailed description, as in the result statement “the vulnerability has increased because the past status was 85 points (a superior level) two years ago and the current status is 77 points (an insufficient level).
Although it is definitely necessary to analyze or evaluate vulnerability, related research and development has not been sufficiently carried out. A first reason for this is related to a request to modify the results of analyzing or evaluating vulnerability. System administrators often make requests to modify results that are calculated after a vulnerability has been identified and then the possibility of the malicious exploitation of the vulnerability is determined via simulated intrusions. That is, the system administrators make a request to modify results because they may not desire that a low score be reported to the management or may desire that a lower score be reported to the management, so that they can use the lower score to request an increase in resources, such as a higher budget or extra personnel, from the management based on the reported lower score. A second reason is that there have been no attempts to implement a method of quantifying vulnerability and simulated intrusion results and a method of guaranteeing that the former method has objectivity.
Although the results of analyzing or evaluating vulnerability have been quantified using specific methods, the objectivity thereof cannot be accomplished. A first reason for this is that the types of vulnerability that are used to calculate the score are limited. That is, since only a few types of characteristic vulnerabilities that exert great influence when being maliciously used and that are selected from identified vulnerabilities are used, other types of vulnerability are excluded from the calculation of the score. A second reason for this is that the subjectivity of an analyzer is excessively involved. Even when the same vulnerability identification results for the same system are provided and the scoring of the results is requested, analyzers calculate different scores because they determine the weights of various types of vulnerability to be different.
Due to the above-described problems, the results of analyzing or evaluating vulnerability have low objectivity, and the analyzer cannot help modifying the results because of lack of a logical basis upon which the analyzer can refute the request to modify the results.
Accordingly, there is an urgent need for technology that can quantify the level of a system using a numerical value and transfer the information.